On 18 November 2016, the CPS received a package of 15 unencrypted DVDs from Surrey Police. Those DVDs contained recordings of intimate sensitive personal data of victims, as well as the sensitive personal data of the perpetrator. On the same day, the receiving CPS office in Guildford sent the package of DVDs to its office in Brighton, where a specialist unit would review the evidence contained on them.
The DVDs were sent by tracked DX delivery in a single box. DX logs confirm that the package was sent to the CPS Brighton office on 18 November 2016. The package was delivered to the Brighton office of the CPS – located in a shared building – on 21 November 2016. The CPS does not believe that its staff were in the building at the time.
The entry doors to the office building are locked and require a card and PIN code for access. DX has a code to enable it to make early morning deliveries before normal working hours. When DX makes early morning deliveries to the CPS Brighton office, they are left in an unsecured area in reception. Once in the building, the CPS office – including the reception area in which deliveries are left – can be accessed by anyone.
It was not until 1 December 2016 that the loss of the DVDs was discovered. The loss wasn’t reported to Surrey Police until 14 December 2016, almost a month after the loss.
The DVDs were not encrypted. The CPS has stated that it is not normal practice to encrypt this kind of material. Encryption software is, however, available to all areas of the CPS.
The ICO was not notified of the data loss until 11 April 2017. The CPS were therefore fined £325,000 for losing the unencrypted storage media. The DVDs have never been found.
This is the second penalty imposed on the CPS following the loss of sensitive video recordings. The ICO ruled that the CPS was negligent when it failed to ensure the videos were kept safe, and did not take into account the substantial distress that would be caused if the videos were lost.
It also found that, despite being fined £200,000 following a separate breach in November 2015 – in which victim and witness video evidence was also lost – the CPS had not ensured that appropriate care was being taken to avoid similar breaches re-occurring.
Steve Eckersley, Head of Enforcement, said:
The victims of serious crimes entrusted the CPS to look after their highly sensitive personal data – a loss in trust could influence victims’ willingness to report serious crimes.
The CPS failed to take basic steps to protect the data of victims of serious sexual offences. Given the nature of the personal data, it should have been obvious that this information must be properly safeguarded, as its loss could cause substantial distress.
The CPS must take urgent action to demonstrate that it can be trusted with the most sensitive information.